Em Sex, 2007-09-14 Ãs 14:07 -0300, Andreas Hasenack escreveu:
> So why was "jsmith" allowed to create a new entry under ou=sudoers? He
> is not a member of any of the special groups, and I only changed the ACL
> line from "by group" to "by set".
This is the right ACL. At least, this one works for me:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
attrs=children,entry,@sudoRole
by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* &
user" write
by * read
I was missing the "& user" part. And it works with nested groups now:
$ ldapsearch -x -LLL "cn=sudo admins" member
dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
member: cn=Account Admins,ou=System Groups,dc=example,dc=com
$ ldapsearch -x -LLL "cn=account admins" member
dn: cn=Account Admins,ou=System Groups,dc=example,dc=com
member: uid=Account Admin,ou=System Accounts,dc=example,dc=com
member: uid=jsmith,ou=people,dc=example,dc=com
And jsmith can create/change sudo entries:
$ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith <
foo.ldif
adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"
$